Implemented usage vnc+tls Enable TLS transport + Authentication compute: qemu: vnc: tls: enabled: True controller: novncproxy: tls: enabled: True You able to set custom certificates in pillar: nova:compute:qemu:vnc:tls:cacert (certificate content) nova:compute:qemu:vnc:tls:cert (certificate content) nova:compute:qemu:vnc:tls:key (certificate content) nova:controller:novncproxy:tls:cacert (certificate content) nova:controller:novncproxy:tls:cert (certificate content) nova:controller:novncproxy:tls:key (certificate content) nova:controller:novncproxy:tls:allfile (certificate content) Related-Prod: PROD-19979 Change-Id: Ib2d1c42cd118903372e4b35971e4923d197571b1

commit: e6f983e91270bd43e8e0816ab902ac61bb24ddb2 [log] [tgz]
author: Oleksandr Shyshko <oshyshko@mirantis.com> Mon Jun 18 13:53:40 2018 +0300
committer: Oleksandr Shyshko <oshyshko@mirantis.com> Thu Jul 05 13:42:12 2018 +0300
tree: d88417b1111e062d6cfe383eacad5225645769c1
parent: 0b86640fd9ddb73bad067e8547d2ea032d63a86d [diff]
diff --git a/nova/compute.sls b/nova/compute.sls
index 5a13581..24c09e0 100644
--- a/nova/compute.sls
+++ b/nova/compute.sls

@@ -206,6 +206,50 @@
 {%- endif %}
 {%- endif %}
 
+{%- if compute.qemu.vnc.tls.get('enabled', False) %}
+
+{%- set ca_file=compute.qemu.vnc.tls.get('ca_file') %}
+{%- set key_file=compute.qemu.vnc.tls.get('key_file') %}
+{%- set cert_file=compute.qemu.vnc.tls.get('cert_file') %}
+
+qemu_ca_nova_compute:
+{%- if compute.qemu.vnc.tls.cacert is defined %}
+  file.managed:
+    - name: {{ ca_file }}
+    - contents_pillar: nova:compute:qemu:vnc:tls:cacert
+    - mode: 444
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ ca_file }}
+{%- endif %}
+
+qemu_public_cert:
+{%- if compute.qemu.vnc.tls.cert is defined %}
+  file.managed:
+    - name: {{ cert_file }}
+    - contents_pillar: nova:compute:qemu:vnc:tls:cert
+    - mode: 440
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ cert_file }}
+{%- endif %}
+
+qemu_private_key:
+{%- if compute.qemu.vnc.tls.key is defined %}
+  file.managed:
+    - name: {{ key_file }}
+    - contents_pillar: nova:compute:qemu:vnc:tls:key
+    - mode: 400
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ key_file }}
+{%- endif %}
+
+{%- endif %}
+
 nova_compute_services:
   service.running:
   - enable: true

diff --git a/nova/controller.sls b/nova/controller.sls
index 528e0b0..86c0f35 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls

@@ -64,6 +64,65 @@
       - user: user_nova
 {%- endif %}
 
+{%- if controller.novncproxy.tls.get('enabled', False) %}
+
+{%- set ca_file=controller.novncproxy.tls.get('ca_file') %}
+{%- set key_file=controller.novncproxy.tls.get('key_file') %}
+{%- set cert_file=controller.novncproxy.tls.get('cert_file') %}
+{%- set all_file=controller.novncproxy.tls.get('all_file') %}
+
+novncproxy_ca_nova_compute:
+{%- if controller.novncproxy.tls.cacert is defined %}
+  file.managed:
+    - name: {{ ca_file }}
+    - contents_pillar: nova:controller:novncproxy:tls:cacert
+    - mode: 444
+    - makedirs: true
+    - watch_in:
+      - service: nova_controller_services
+{%- else %}
+  file.exists:
+   - name: {{ ca_file }}
+{%- endif %}
+
+novncproxy_public_cert:
+{%- if controller.novncproxy.tls.cert is defined %}
+  file.managed:
+    - name: {{ cert_file }}
+    - contents_pillar: nova:controller:novncproxy:tls:cert
+    - mode: 440
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ cert_file }}
+{%- endif %}
+
+novncproxy_private_key:
+{%- if controller.novncproxy.tls.key is defined %}
+  file.managed:
+    - name: {{ key_file }}
+    - contents_pillar: nova:controller:novncproxy:tls:key
+    - mode: 400
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ key_file }}
+{%- endif %}
+
+novncproxy_all_file:
+{%- if controller.novncproxy.tls.allfile is defined %}
+  file.managed:
+    - name: {{ all_file }}
+    - contents_pillar: nova:controller:novncproxy:tls:allfile
+    - mode: 440
+    - makedirs: true
+{%- else %}
+  file.exists:
+   - name: {{ all_file }}
+{%- endif %}
+
+{%- endif %}
+
 {%- if controller.get('networking', 'default') == "contrail" and controller.version == "juno" %}
 
 contrail_nova_packages:

diff --git a/nova/files/queens/nova-controller.conf.Debian b/nova/files/queens/nova-controller.conf.Debian
index 8883c82..a9eff62 100644
--- a/nova/files/queens/nova-controller.conf.Debian
+++ b/nova/files/queens/nova-controller.conf.Debian

@@ -9847,6 +9847,12 @@
 {%- else %}
 vncserver_listen={{ controller.bind.get('novncproxy_address', '0.0.0.0') }}
 {%- endif %}
+{%- if controller.novncproxy.tls.get('enabled', False) %}
+auth_schemes=vencrypt
+vencrypt_client_key={{controller.novncproxy.tls.key_file|yaml_squote}}
+vencrypt_client_cert={{controller.novncproxy.tls.cert_file|yaml_squote}}
+vencrypt_ca_certs={{controller.novncproxy.tls.ca_file|yaml_squote}}
+{%- endif %}
 
 #
 # Keymap for VNC.

diff --git a/nova/files/queens/qemu.conf.Debian b/nova/files/queens/qemu.conf.Debian
index cb20491..3960007 100644
--- a/nova/files/queens/qemu.conf.Debian
+++ b/nova/files/queens/qemu.conf.Debian

@@ -31,7 +31,11 @@
 # before enabling this.
 #
 #vnc_tls = 1
-
+{%- if compute.qemu.vnc.tls.get('enabled', False) %}
+vnc_tls = 1
+vnc_tls_x509_verify = 1
+vnc_tls_x509_cert_dir = {{compute.qemu.vnc.tls.cert_dir|yaml_squote}}
+{%- endif %}
 
 # Use of TLS requires that x509 certificates be issued. The
 # default it to keep them in /etc/pki/libvirt-vnc. This directory

diff --git a/nova/map.jinja b/nova/map.jinja
index 8c9eb96..9170cf0 100644
--- a/nova/map.jinja
+++ b/nova/map.jinja

@@ -49,6 +49,14 @@
             }
           }
         },
+        'novncproxy': {
+          'tls': {
+            'enabled': false,
+            'key_file': '/etc/pki/nova-novncproxy/client-key.pem',
+            'cert_file': '/etc/pki/nova-novncproxy/client-cert.pem',
+            'ca_file': '/etc/pki/nova-novncproxy/ca-cert.pem',
+          }
+        },
     },
     'RedHat': {
         'pkgs': pkgs_list,
@@ -67,6 +75,14 @@
             }
           }
         },
+        'novncproxy': {
+          'tls': {
+            'enabled': false,
+            'key_file': '/etc/pki/nova-novncproxy/client-key.pem',
+            'cert_file': '/etc/pki/nova-novncproxy/client-cert.pem',
+            'ca_file': '/etc/pki/nova-novncproxy/ca-cert.pem',
+          }
+        },
     },
 }, merge=pillar.nova.get('controller', {}), base='BaseDefaults') %}
 
@@ -124,6 +140,14 @@
   libvirt_service: libvirt-bin
   bind: compute_bind_defaults
   debug: false
+  qemu:
+    vnc:
+      tls:
+        enabled: False
+        key_file: '/etc/pki/libvirt-vnc/server-key.pem'
+        cert_file: '/etc/pki/libvirt-vnc/server-cert.pem'
+        ca_file: '/etc/pki/libvirt-vnc/ca-cert.pem'
+        cert_dir: '/etc/pki/libvirt-vnc'
   libvirt:
     inject_partition: '-2'
     inject_password: False
@@ -168,6 +192,14 @@
   libvirt_service: libvirtd
   bind: compute_bind_defaults
   debug: false
+  qemu:
+    vnc:
+      tls:
+        enabled: False
+        key_file: '/etc/pki/libvirt-vnc/server-key.pem'
+        cert_file: '/etc/pki/libvirt-vnc/server-cert.pem'
+        ca_file: '/etc/pki/libvirt-vnc/ca-cert.pem'
+        cert_dir: '/etc/pki/libvirt-vnc'
   libvirt:
     inject_partition: '-2'
     inject_password: False
commit	e6f983e91270bd43e8e0816ab902ac61bb24ddb2	[log] [tgz]
author	Oleksandr Shyshko <oshyshko@mirantis.com>	Mon Jun 18 13:53:40 2018 +0300
committer	Oleksandr Shyshko <oshyshko@mirantis.com>	Thu Jul 05 13:42:12 2018 +0300
tree	d88417b1111e062d6cfe383eacad5225645769c1
parent	0b86640fd9ddb73bad067e8547d2ea032d63a86d [diff]